How the research was conducted and what it found
Straiker, a company specializing in agentic AI security, published the first annual report of its STAR Labs research team on July 14, 2026. Researchers conducted thousands of attack scenarios across three categories of AI agents: coding agents, productivity agents, and custom enterprise (first-party) agents. The result was more than 1,700 successful infiltrations.
The study tested real production tools used daily by millions of developers worldwide — Cursor, Claude Code, GitHub Copilot, as well as enterprise assistants like ChatGPT Enterprise, Microsoft 365 Copilot, Gemini for Workspace, and Perplexity Comet.
Coding agents: every third attack means taking over the computer
According to the research, coding assistants represent the highest-risk category. 36% of successful attacks on these agents ended in remote code execution (RCE) on the developer's machine — the same machine that contains source code and cloud access keys. In one proof-of-concept test, researchers even purchased Google ads to outrank the legitimate installation page in search results and capture developer tool login credentials.
For context: RCE (Remote Code Execution) means an attacker can run arbitrary code on someone else's computer — install malware, steal data, delete files, or move laterally into the corporate network. For coding agents that inherently have access to the terminal, file system, and often repositories as well, this is a catastrophic scenario.
GhostFabric: when an AI agent lets malware in without a single suspicious word
A concrete demonstration of this vulnerability is the GhostFabric case, which Straiker uncovered around the turn of April and May 2026. A researcher asked Google Antigravity — a coding agent running on Gemini 3.1 Pro — to try out a home automation project shared via Google Drive. No jailbreak, no hidden instruction, no manipulation. Just an ordinary request, the kind agents receive dozens of times a day.
Alongside a regular Python script, the project contained a precompiled file disguised as a temperature sensor driver. Antigravity performed a single security check — it verified that the CPU architecture matched the test machine. No analysis of what the binary file actually does. The agent downloaded and ran the file. It immediately read the Documents folder and sent the stolen data covertly via the VXLAN protocol, which cloud data centers use for internal communication — and which most security tools don't inspect at all.
Google closed the incident as a form of prompt injection, i.e., a known risk category, not as a vulnerability requiring a fix. In other words: as long as coding agents can automatically download and run unapproved code, the GhostFabric scenario remains relevant.
Productivity agents: silent data theft with no traces
Even more disturbing numbers came from the research on productivity agents — assistants that read emails, documents, messages, and web content on behalf of the user. 91% of successful attacks on these agents ended in silent data exfiltration. No malware, no phishing link, no jailbreak. The data simply leaked out quietly, leaving no trace in the system.
This is a fundamental problem for companies deploying these assistants at scale. Traditional security tools — endpoint protection, firewalls, vulnerability scanners — read code, endpoints, and network packets, not the semantic layer where the agent decides whether to execute a malicious instruction. In other words: they monitor traditional attack vectors but cannot see what is happening inside the agent's "thinking."
The AI agent supply chain is an unmanaged risk
The research also mapped the scope of the problem in the agentic AI supply chain. Of nearly 18,000 monitored MCP servers (Model Context Protocol — a standard for connecting agents to external tools and data), 24% contained at least one vulnerability. Of more than 130,000 catalogued tools, 28.6% were rated as high-risk. And on one AI Skills marketplace, roughly 5% of published skills were flagged as malicious or high-risk.
The problem is that a single compromised MCP server or malicious skill threatens all types of agents simultaneously — coding, productivity, and enterprise alike.
A new class of threats: AiPT and LAVA
The STAR Labs researchers introduce two new terms in the report that they say define the emerging era of cyber threats:
- AiPT (AI-Powered Persistent Threats) — attackers that are themselves agents. They use offensive kits like Cyberspike Villager to automate reconnaissance, exploitation, and persistence. This is not a human hacking AI, but AI hacking on behalf of a human.
- LAVA (Language-Augmented Vulnerabilities in Applications) — a new class of vulnerabilities that exist in the linguistic layer where agents reason. Traditional scanners cannot see it because they don't read natural language instructions.
What this means for Czech companies and developers
Czech developers and companies are using these tools in increasing numbers. GitHub Copilot, Cursor, and Claude Code are a standard part of developer workflows even in Czech technology firms. The study shows that current security models are not up to this threat.
Moreover, under the EU AI Act, the European Union classifies AI systems with access to sensitive infrastructure as high-risk — and requires appropriate security measures. The Straiker report suggests that most AI agents in use today would likely fail a thorough security audit.
Straiker — which raised $64 million in a Series A round this June from investors including Marathon, Bain Capital Ventures, and Lightspeed — offers its own platform for discovering, testing, and protecting AI agents. Its STAR Framework maps the attack surface across four layers (application, model, tools, and data) and three agent types.
For companies already deploying or planning to deploy AI agents, the researchers recommend three immediate measures: never let a coding agent automatically run unsigned code, sandbox every binary the agent introduces, and monitor internal network traffic (not just at the perimeter).
Are regular users at risk too, or only businesses?
The primary risk is to developers and companies using AI coding assistants with terminal and file system access. A regular ChatGPT user who just chats with AI is not threatened by this type of attack. However, the risk also applies to companies using enterprise assistants like Microsoft 365 Copilot, which read corporate documents and emails.
How do I know if my AI agent has been compromised?
That is precisely the core of the problem — in 91% of successful attacks on productivity assistants, no trace was left behind. Traditional security tools don't see these attacks because they don't operate at the semantic level where the agent makes decisions. The solution lies in specialized tools for runtime AI agent protection that analyze the agent's context and behavior in real time.
Does any of this apply to AI assistants used in Czech?
Yes. The vulnerabilities described in the research are not language-dependent — they concern the architecture of agents, their access to tools, and the trust we place in them. A Czech developer using Cursor or GitHub Copilot faces the same risk as a colleague in the US. Czech localization changes nothing about the nature of the threat.